ci: bump suzuki-shunsuke/pinact-action from 2.0.0 to 3.0.0

[dependabot]

Bumps suzuki-shunsuke/pinact-action from 2.0.0 to 3.0.0.

Release notes

Sourced from suzuki-shunsuke/pinact-action's releases.

v3.0.0

Issues | Pull Requests | suzuki-shunsuke/pinact-action@v2.0.0...v3.0.0 | Base revision

This release is largely driven by the update to pinact v4.0.0. Please also refer to the pinact v4.0.0 release notes.

⚠️ Breaking Changes

#1065 Upgrade pinact to v4.0.0 #1065 Behavior change when skip_push: true

Behavior change when skip_push: true

Previously, this was equivalent to a -check mode. It has been changed to simply skip committing. By default, a commit is created.

With skip_push: true, fix: true, the code is fixed but not committed. A subsequent step can create the commit on its own. This is useful when you want to bundle the pinact changes with other modifications into a single commit.

With skip_push: true, fix: false, validation is performed just like the previous skip_push: true behavior.

Features

#1065 Added inputs to support more pinact options

• files: lets you specify target files (positional arguments of pinact run)
• fix (--fix option)
• no_api (--no-api option)
• verify_min_age (--verify-min-age option)
• branch_to_tags (--branch-to-tags option)
• config (--config option)
• diff_file (--diff-file option)

Commits

• 896d595 chore: prepare release v3.0.0
• 8d2d695 feat!: update pinact to v4.0.0, expose new run options, honor fix in skip_pus...
• bd33019 chore(deps): lock file maintenance (#1068)
• 9117f4d chore(deps): update node.js to v24.16.0 (#1067)
• 378a2b3 chore(deps): update dependency aquaproj/aqua-registry to v4.516.0 (#1066)
• 5c74c8f chore(deps): update dependency aquaproj/aqua-registry to v4.515.0 (#1064)
• 62745e9 chore(deps): update dependency typescript-eslint to v8.59.4 (#1063)
• 1d5e6d9 chore(deps): update dependency aquaproj/aqua-registry to v4.514.0 (#1062)
• 064e7f1 chore(deps): update dependency aquaproj/aqua-registry to v4.513.1 (#1061)
• 3891c77 chore(deps): update dependency aquaproj/aqua-renovate-config to v2.12.1 (#1060)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.53%. Comparing base (cc3342e) to head (706ba3b).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #54   +/-   ##
=======================================
  Coverage   97.53%   97.53%           
=======================================
  Files           3        3           
  Lines          81       81           
  Branches       21       21           
=======================================
  Hits           79       79           
  Misses          2        2           

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cc3342e...706ba3b. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[klodr]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow dependencies to maintain infrastructure reliability and compatibility.

Walkthrough

The workflow .github/workflows/actions-pinned.yml pins the suzuki-shunsuke/pinact-action step to version 3.0.0 (commit 896d595f299e71d65b9d28349d6956abe144390a), upgrading from the previous version 2.0.0 (commit cf51507d80d4d6522a07348e3d58790290eaf0b6). All other workflow configuration remains unchanged.

Changes

Workflow pin update

Layer / File(s)	Summary
Update pinact-action pin to v3 .github/workflows/actions-pinned.yml	The suzuki-shunsuke/pinact-action step commit SHA is updated from v2.0.0 to v3.0.0 in the workflow pin configuration.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• klodr/eslint-plugin-security-mcp#35: Both PRs modify .github/workflows/actions-pinned.yml's suzuki-shunsuke/pinact-action step (one updates the pinned action SHA, the other adjusts pinact action inputs), so they're directly related.
• klodr/eslint-plugin-security-mcp#15: The main PR updates the pinned suzuki-shunsuke/pinact-action commit SHA in .github/workflows/actions-pinned.yml, which is exactly the same workflow/action pin established by the retrieved PR's "actions-pinned" CI gate.

Suggested reviewers

• klodr

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with 'ci' type, no scope, imperative mood subject in lowercase, no trailing period, and is 58 characters (well under 72 limit).
Description check	✅ Passed	The description is directly related to the changeset, providing detailed release notes and commit information about the version bump from 2.0.0 to 3.0.0.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/suzuki-shunsuke/pinact-action-3.0.0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/actions-pinned.yml (1)

25-32: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pinact v3 changes skip_push semantics—add fix: "false" to keep validation-only behavior.
.github/workflows/actions-pinned.yml (lines 25-32): in v3.0.0, skip_push: true only skips committing; fix defaults to applying fixes, so the workflow’s validation behavior can change without fix: "false".

Suggested diff

      - uses: suzuki-shunsuke/pinact-action@896d595f299e71d65b9d28349d6956abe144390a # v3.0.0
        with:
          # `version` was removed in pinact-action v2: the pinact binary
          # is now bundled with the action tag, so the action SHA above
          # is the only thing pinning the pinact version.
          skip_push: "true"
+         fix: "false"
        env:
          GITHUB_TOKEN: ${{ github.token }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/actions-pinned.yml around lines 25 - 32, The workflow uses
suzuki-shunsuke/pinact-action@896d595f... with skip_push: "true", but in pinact
v3 skip_push only prevents committing while fixes run by default; update the
action input block to explicitly set fix: "false" alongside skip_push to
preserve validation-only behavior (locate the action usage block referencing
pinact-action@896d595f299e71d65b9d28349d6956abe144390a and add the fix input).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/actions-pinned.yml:
- Around line 25-32: The workflow uses suzuki-shunsuke/pinact-action@896d595f...
with skip_push: "true", but in pinact v3 skip_push only prevents committing
while fixes run by default; update the action input block to explicitly set fix:
"false" alongside skip_push to preserve validation-only behavior (locate the
action usage block referencing
pinact-action@896d595f299e71d65b9d28349d6956abe144390a and add the fix input).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: af3989a4-a9b5-4152-96ec-7632a48db76a

📥 Commits

Reviewing files that changed from the base of the PR and between cc3342e and 706ba3b.

📒 Files selected for processing (1)

• .github/workflows/actions-pinned.yml